CVE-2026-1446: Medium Vulnerability in Esri ArcGIS Pro

CVE-2026-1446 is a Cross-Site Scripting (XSS) vulnerability affecting Esri ArcGIS Pro versions 3.6.0 and earlier. This vulnerability allows local attackers to inject malicious strings that can be executed when specific dialogs within the application are opened. The impact of this vulnerability is considered medium, with a CVSS score of 5. Organizations utilizing ArcGIS Pro should understand the risks associated with this vulnerability and prioritize remediation.

Since exploitation is limited to local users, the immediate risk may seem lower. However, the potential for misuse still exists, especially in environments where multiple users have access to the same systems. The urgency for organizations to address this vulnerability is underscored by its classification and the fact that no special privileges are required to exploit it.

The vulnerability was published on January 26, 2026, and fixed in version 3.6.1 of ArcGIS Pro. Organizations should prioritize patching immediately to mitigate any associated risks.

No public exploit has been confirmed, and it is not currently included in the Known Exploited Vulnerabilities (KEV) catalog. However, the potential for local exploitation remains a concern.

For organizations using ArcGIS Pro, addressing this vulnerability in their patch cycle is critical to maintaining security and preventing unauthorized access through local exploitation.

Vulnerability Details

CVE-2026-1446 is described as a Cross-Site Scripting (XSS) issue, where local users can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. The vulnerability affects ArcGIS Pro versions up to and including 3.6.0 and is patched in version 3.6.1.

The vulnerability has a CVSS score of 5, indicating medium severity. The attack vector is local with low complexity, and no privileges are required to exploit it. User interaction is necessary, which means the attacker needs to convince the victim to interact with the malicious input.

The common weakness enumeration (CWE) associated with this vulnerability is CWE-79, which pertains to improper neutralization of input during web page generation ('Cross-site Scripting').

Technical Analysis

The root cause of CVE-2026-1446 stems from insufficient input validation within the ArcGIS Pro application. When a local user opens a specific dialog, the application fails to properly sanitize input, allowing malicious scripts to be executed in the context of the application.

The attack vector is local, meaning that an attacker must have physical or remote access to the local machine where ArcGIS Pro is installed. The attack complexity is low, as an attacker does not need advanced skills to exploit this vulnerability. No special privileges are required, and user interaction is necessary as the malicious input must be activated by the user.

The impacts of this vulnerability include low confidentiality and integrity impacts, as the malicious input could lead to unauthorized actions within the application without compromising the overall system availability.

Risk & Impact Analysis

Organizations using Esri ArcGIS Pro are at risk due to this vulnerability, as it allows local attackers to execute scripts with the same privileges as the user running the application. The blast radius could vary significantly based on the user roles within the organization and the access rights they possess.

The urgency for remediation is categorized as medium, given the potential for exploitation by local attackers and the need for user interaction. Organizations should assess their deployment of ArcGIS Pro and consider the implications of this vulnerability on their security posture.

Risk to organizations includes unauthorized access to sensitive data and potential manipulation of application behavior. Given the nature of the vulnerability, attackers may leverage it to perform actions that could lead to data breaches or loss of data integrity.

Exploitation Status

Affected Versions

This vulnerability affects all versions of Esri ArcGIS Pro prior to version 3.6.1. Organizations must upgrade to this version to mitigate the risk associated with CVE-2026-1446.

Mitigation & Remediation

To address this vulnerability, organizations should patch to Esri ArcGIS Pro version 3.6.1 or later. If immediate patching is not possible, consider implementing additional security measures such as restricting access to the application or employing application whitelisting to prevent unauthorized execution of scripts.

For organizations looking to enhance their security posture, regular security assessments and penetration testing can be beneficial. Engaging in penetration testing services can help identify and remediate vulnerabilities proactively.

Detection Guidance

Organizations should monitor logs for unusual activity related to ArcGIS Pro, particularly for user interactions that involve opening dialogs in the application. Behavioral anomalies, such as unexpected script execution or unauthorized changes, should also be flagged for further investigation.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2026-1446 highlights the ongoing need for secure coding practices in application development. Organizations must remain vigilant against vulnerabilities that allow local exploitation, as they can serve as entry points for more severe attacks.

This vulnerability exemplifies the importance of user awareness and security training, as users play a critical role in mitigating risks associated with local attacks. Organizations should consider implementing comprehensive training programs to educate users about the potential risks of interacting with untrusted content.

Security teams should also focus on developing a robust vulnerability management program that addresses both known and emerging threats.

In conclusion, while CVE-2026-1446 may be classified as medium severity, the potential impact on organizations should not be underestimated. Regular updates and security best practices will be vital in safeguarding against such vulnerabilities.